Which path/filter/tier is right for me?
Pick the option that sounds most like your home or ministry. We’ll show you the correct setup links and instructions.
light_mode
“Set your minds on things above.” — Colossians 3:2 (NET)
Scripture-rooted DNS filtering
Faithful internet protection for churches, families, and believers.
GraceDNS keeps congregations and households focused on Christ by filtering the web through prayerfully maintained block lists. There is nothing to buy or install—just trustworthy DNS endpoints you can adopt in under a minute.
We never log the sites you request. Every lookup travels through encrypted, private channels so your devotion and study remain unseen.
church
The Church
The simple steps on this page help volunteers shield sanctuaries, classrooms, and offices without an IT staff.
family_restroom
Families
Set one tier on the router and every phone, TV, and tablet follows the same Christ-centered guardrails.
person
Individuals
Missionaries, college students, and travelers can protect a single device from anywhere in the world.
Our calling
Guarding hearts and screens through prayerful DNS
GraceDNS serves pastors, parents, and disciplers who want every screen to echo Philippians 4:8. Our motto comes from Psalm 101:3—“I will set no worthless thing before my eyes.” We constantly review harmful domains so the Church can worship, study, and fellowship without digital noise.
volunteer_activism
Strengthen the Church
Volunteer teams can secure sanctuaries, offices, and classrooms using the step-by-step instructions shared here.
family_restroom
Disciple Families
Three tiers let parents match their convictions without needing special hardware or subscriptions.
person
Equip Individuals
Believers on mission, at school, or on the road can point one device to GraceDNS in moments.
school
Steady Classrooms
Schools and co-ops can assign the right tier to each lab or room through clear, printable directions.
Paths for every household
Four tiers shaped by Scripture
Pick the tier that matches your convictions and copy either the DNS-over-HTTPS (DoH) address or the DNS-over-TLS (DoT) hostname. Once saved, every request routes through GraceDNS automatically.
Every tier is tuned to avoid needless breakage—the difference between Sinai, Zion, and Glory is how aggressive we get. Our developers even run Glory full time so we can spot and fix issues quickly.
Eden
A peaceful starting tier that blocks obvious harm and fraud while letting daily browsing operate as expected.
- Stops malicious, misleading, and phishing domains
- Quietly thins out basic tracking and scam ads
- Keeps breakage minimal for general-purpose devices
lock
Most private option—enter this whenever a device supports DNS-over-HTTPS.
dns
Private fallback for gear that asks for a TLS hostname or Android Private DNS entry.
language
Primary IPv4
language
Secondary IPv4
Not encrypted—use only if DoH and DoT are unavailable on that device.
Works for iPhone, iPad, and Mac (including iMac and MacBook).
Sinai
Builds on Eden with decisive blocks for explicit content, gambling, piracy hubs, and bypass tools. SafeSearch stays enforced on every major search engine.
- Adds explicit, gambling, and occult block lists
- Stops most proxy, VPN, and illicit download sites
- lock Forces SafeSearch on every major engine
- Engineered for family devices with very low breakage risk
lock
Preferred Sinai endpoint; use it whenever a platform lets you paste a DoH URL.
dns
Second choice—encrypted via TLS for clients that only accept hostnames.
language
Primary IPv4
language
Secondary IPv4
Unencrypted legacy service; rely on it only when secure DNS cannot be configured.
Works for iPhone, iPad, and Mac (including iMac and MacBook).
Zion
Extends Sinai by stripping broad ad networks, push-alert trackers, and cross-app telemetry so prayerful spaces stay calm.
- Removes aggressive ad and tracking networks
- Quiets push-notification and telemetry systems
- Ideal for chapels and classrooms while still aiming for low breakage
lock
Best privacy for Zion—browsers and apps should use this DoH URL whenever possible.
dns
Use this TLS hostname when devices rely on Apple profiles or Android Private DNS instead of raw URLs.
language
Primary IPv4
language
Secondary IPv4
Legacy IPv4 stays unencrypted; reach for it only if secure DNS settings are missing.
Works for iPhone, iPad, and Mac (including iMac and MacBook).
Glory
Our most controlled tier, silencing nearly every tracker, referral system, and telemetry feed. Reserve it for kiosks, pulpits, or supervised ministry machines.
- Sweeps almost every known tracker and referral service
- We run Glory daily; most apps stay usable but a few may still need allowances
- Built for kiosks, pulpits, or lab devices under oversight
lock
Strongest privacy—always start with this Glory DoH link.
dns
Second-best, encrypted via TLS; point Apple/Android Private DNS profiles here when DoH cannot be set.
language
Primary IPv4
language
Secondary IPv4
Last resort because traffic is unencrypted—use only if the secure options truly cannot be configured.
Works for iPhone, iPad, and Mac (including iMac and MacBook).
Guides for every device
Set up GraceDNS in minutes
Every major platform already understands secure DNS. Copy the DoH URL or DoT hostname for your tier, follow the short guide below, and your devices immediately inherit GraceDNS protections.
phone_android
Android (Private DNS / DoT)
- Open Settings → Network & internet (or Connections).
- Choose Private DNS.
- Select “Private DNS provider hostname”.
- Enter your tier’s DNS-over-TLS name (example:
sinai.gracedns.org) and tap Save.
Older phones may need a trusted DNS app from the Play Store. Choose one that lets you paste the DNS-over-HTTPS URL.
phone_iphone
iPhone & iPad
- Tap the Install Apple profile button for your tier.
- Choose
Allow
when Safari asks to download the profile. - Open Settings → Profile Downloaded.
- Install the profile and enter your passcode if prompted.
- GraceDNS activates instantly; install another profile to switch tiers.
iPhone and iPad trust these profiles system-wide, so every app follows the tier you select automatically.
laptop_mac
Mac (MacBook / iMac)
- Download or AirDrop the tier’s configuration profile.
- Open it from Finder or System Settings → Profiles.
- Click
Install
and confirm with your password. - Your Mac, iMac, or MacBook now routes DNS through GraceDNS.
Prefer manual entry? Open System Settings → Network → Details → DNS and paste the same hostnames shown above.
laptop_windows
Windows 10/11
- Open Settings → Network & internet.
- Select your active connection (Wi-Fi or Ethernet) and choose Edit under DNS server assignment.
- Switch to Manual, enable IPv4, and enter the two GraceDNS IPv4 addresses for your tier.
- Set “Preferred DNS encryption” to
Encrypted only (DoH)
if available, then save.
Older builds without DoH support will still honor the IPv4 entries, just without encryption.
router
Home routers
- Open your router dashboard (address is usually printed underneath).
- Locate the DNS or Internet settings area.
- Paste the GraceDNS IPv4 addresses or DoH/DoT hostname.
- Save. Every device on that network now follows your tier.
Keep another tier handy in case certain smart devices need less aggressive filtering.
school
Chromebooks & shared devices
- Upload the GraceDNS profile into Google Admin (or install manually on each Chromebook).
- Assign it to the organizational units that need protection.
- Update the profile whenever you want devices to switch tiers.
Perfect for schools, co-ops, libraries, and multiuser carts.
We test Glory daily to keep it usable, but it is still the strictest tier—keep Sinai or Eden nearby for devices that must stay flexible.
Convictions we uphold
What each tier removes
spa
Eden
- Cuts off malicious, deceitful, and phishing domains
- Disrupts scam pages and fake tech support pop-ups
- Trims common trackers that follow daily browsing
- Silences nuisance ads tied to unsafe sources
landscape
Sinai
- Everything from Eden
- Explicit, occult, and gambling domains
- Piracy hubs and grey-market streaming sites
- Proxies, VPN list hosts, and filter bypass tools
- Enforces SafeSearch on Google, Bing, DuckDuckGo, and YouTube
castle
Zion
- Everything from Sinai
- Full-spectrum ad networks and autoplay feeds
- Push-notification and retargeting campaigns
- Cross-app tracking systems and telemetry clouds
light_mode
Glory
- Everything from Zion
- Most analytics, telemetry, and crash-reporting services
- Advertising CDNs and social tracking pixels
- Will occasionally break apps that rely on tracking
Anchored in Scripture
“I will set no worthless thing before my eyes.”
“I will set no worthless thing before my eyes; I hate the work of those who fall away.”
Psalm 101:3 steadies our block lists. If a site pulls hearts away from Christ or delights in sin, we remove it so the Body can stay focused on the Lord.
Psalm 101:3 (NET)
Shared stewardship
GraceDNS stays free when the Church carries it together
GraceDNS is a ministry effort. If the Lord prompts you to help cover servers and the time spent curating block lists, consider $5/year for an individual, $15/year for a household, or $3/student/year for schools. Give whatever fits, or nothing at all—we are grateful either way. GraceDNS remains free for individuals, families, nonprofits, and local churches. We simply ask that you use prayer and discernment as you consider whether GraceDNS fits your household or ministry and whether the Lord is leading you to share a gift. If you’re a for‑profit business or industry group, send us a note so we can pray with you and prepare a simple quote that fits your needs.
Funds new block lists
Keeps fast, redundant servers
Blesses small congregations
GraceDNS is not a 501(c)(3), so gifts are not tax-deductible and cannot be refunded. Stripe emails a receipt instantly.
Need a ministry invoice? Email us.Need guidance?
Questions we hear most
How do the tiers differ?
Eden blocks obvious harm and scams. Sinai adds explicit, gambling, and piracy protections with SafeSearch. Zion removes wide ad networks and tracking. Glory blocks nearly every telemetry feed and sometimes needs special allowances.
Will the stronger tiers break sites?
Every tier is tuned to avoid needless breakage, but the more we block, the higher the chance something relies on it. Zion may occasionally pause notification-heavy apps, and Glory might need an allowlist entry. Our team runs Glory all day so we can fix problems quickly; keep Sinai or Eden handy for anything urgent.
Where should families begin?
Most households start with Sinai for firm protection and minimal breakage. Use Eden for work devices that must remain flexible. Reserve Zion for quiet spaces and Glory for supervised stations.
Do you log what I browse?
We only capture the information needed to answer DNS requests. Short-lived troubleshooting logs may include anonymized network data (for example, IPv4 addresses masked to 123.123.123.xxx), and are deleted once we resolve technical issues. We never sell data or build marketing profiles, and every lookup travels over encrypted transport.
How do I switch tiers later?
Replace the DoH/DoT endpoint in your settings or install a new profile. Most devices adopt the new tier within seconds.
Is GraceDNS only for churches?
No. We gladly serve churches, homes, missionaries, schools, and anyone who wants Christ-honoring filtering.
Covering details
GraceDNS is shepherded by Ole Brook Web Services
Ole Brook Web Services in Mississippi builds practical tools for churches and small businesses. We built GraceDNS first and foremost to serve Christ; along the way it became the default DNS we use to protect every Ole Brook Web Services client network, and we are humbled to offer that same protection freely to the wider Body.
Visit olebrookwebservices.com